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This is in response to the Pre-Appeal Brief Request for Review filed Aug. 30. 2007 . 

1 . □ Improper Request - The Request is improper and a conference will not be held for the following 
reason(s): 

□ The Notice of Appeal has not been filed concurrent with the Pre-Appeal Brief Request. 

□ The request does not include reasons why a review is appropriate. 

□ A proposed amendment is included with the Pre-Appeal Brief request. 

□ Other: 



The time period for filing a response continues to run from the receipt date of the Notice of Appeal or from 
the mail date of the last Office communication, if no Notice of Appeal has been received. 



2. Proceed to Board of Patent Appeals and Interferences - A Pre-Appeal Brief conference has been 
held. The application remains under appeal because there is at least one actual issue for appeal. Applicant 
is required to submit an appeal brief in accordance with 37 CFR 41 .37. The time period for filing an appeal 
brief will be reset to be one month from mailing this decision, or the balance of the two-month time period 
running from the receipt of the notice of appeal, whichever is greater. Further, the time period for filing of the 
appeal brief is extendible under 37 CFR 1 .136 based upon the mail date of this decision or the receipt date 
of the notice of appeal, as applicable. 

K The panel has determined the status of the claim(s) is as follows: 

Claim(s) allowed: . 

Claim(s) objected to: . 

Claim(s) rejected: 1-21 . * 

Claim(s) withdrawn from consideration: . , /■ A ^/) i - *" TT ' • 

3. □ Allowable application - A conference has been held. The rejection is withdrawn and a Notice of 
Allowance will be mailed. Prosecution on the merits remains closed. No further action is required by 
applicant at this time. 



4. □ Reopen Prosecution - A conference has been held. The rejection is withdrawn and^a-qew Office 
action will be mailed. No further action is required by applicant at this time. 



All participants: 

(1 ) Aravind Moorthv . 

(2) Chris Revak . 
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As to claim 1, McClure et al discloses a computerized method for reducing the 
false alarm rate of network intrusion detection systems, comprising: 

receiving, from a network intrusion detection sensor, one or more 
data packets associated with an alarm indicative of a potential attack on a 
target host [column 31, lines 19-36]; (McClure discloses that in the 
decision step 730, the process determines whether all the live target 
computers have been processed in TCP full connect scanning or whether 
all the batches of live target computers have been processed in TCP SYN 
scanning. If all the target computers or all the batches of target computers 
have been processed, the process ends. Otherwise, the process proceeds to 
a TCP service scan routine 740 wherein the process uses a TCP service 
discovery list 742 to identify the TCP service ports to be examined for 
each target computer. As described above, TCP packets are sent to the 
identified TCP service ports of each target computer, and the target 
computer vulnerability database 714 is updated for each target computer in 
accordance with whether a response is received or is not received from 
each target computer for each TCP service port scanned and using the 
known vulnerability database to obtain the vulnerability information for 
the particular TCP service ports that are determined to be open. Packets 
are received indicative of vulnerabilities. 

identifying characteristics of the alarm from the data packets, 
including at least an attack type and an operating system fingerprint of the 



target host [column 16, lines 3-10; column 18, lines 20-42]; (McClure 
discloses in the scoring routine 370, described in more detail below, the 
method establishes a vulnerability score for each target computer and for 
the network based on the results of the active assessment and based on the 
vulnerability information in the known vulnerability database 366. The 
method then proceeds to a reporting routine 372, also described in more 
detail below, wherein the method reports the results of the scanning, active 
assessment and scoring. McClure discloses while more than one OS 
fingerprint may be associated with each operating system, collisions 
between fingerprints of distinct operating systems have been found to be 
highly unlikely. Tables can be compiled for other operating systems 
similar to that shown in Table 2. As operating system versions and 
popularity change over time, the fingerprint database is advantageously 
regularly updated to account for patches, version changes, and new 
operating systems. The fingerprint style shown above is only one 
embodiment of such a database, and any efficient method to store the 
operating system fingerprint can be used, based upon the TCP options 
altered, number of packets typically sent to a target computer, other TCP 
fields stored for recognition, and identification field used to represent a 
particular operating system and version, and the like. In one example, a 
unique data string for a particular operating system is compressed and 
stored using a digest algorithm such as MD5, and the like. For further 
example, perfect matching of fingerprints is not required: a system may 



employ a percentage match, such as, for example, 90% similarity between 
two fingerprints, as sufficient to identify a target computer as having a 
particular operating system or at least being in particular family of 
operating systems. 

identifying the operating system type from the operating system 
fingerprint [column 18, lines 20-42]; (As discussed above, the operating 
system is identified from the fingerprint.) 

comparing the attack type to the operating system type [column 29, 
lines 1-13] (McClure discloses target computers that respond positively to 
this attack are added to a list of vulnerable computers to undergo 
vulnerability assessment for each open target port found. The 
vulnerabilities used are typically limited to those associated with the 
operating system of the target computer as discovered by the operating 
system identification system described previously, and by those 
vulnerabilities associated with the open ports found on the target 
computer. If the operating system of the target computer cannot be 
conclusively identified, then typically all vulnerabilities associated with 
the open ports found on the target computer during the service discovery 
system described herein are tested against the target computer.); and 

indicating whether the target host is vulnerable to the attack based 
on the comparison [column 29, lines 1-13]. (See above) 



